Office Web Components (OWC) is a group of safe for scripting components used to enrich HTML documents with Spreadsheets, Charts,
Pivot tables and more.

OWC ships with the Microsoft Office package, but it is also
downloadable as a separate (free for viewing only) component.

Discussion:

It is well documented that IE lets anybody read and write clipboard data by default, until now it was possible to disable this feature
by setting "Allow paste operations via script" to "Disable".

It is now possible to gain control over the clipboard even when it is disabled in the security zone, via the Spreadsheet component in
both OWC9 and OWC10.

The "Paste" method of the Range object and the "Copy" method of the Cell object both give an attacker full control over clipboard
operations.

The attacker can continuously monitor the victim's clipboard and log the findings to a server for later inspection. It is also possible
for an attacker to place data inside the clipboard.

Update (22-Aug-2002):

Microsoft has released a patch for these issues, however, the
"Kill Bit" was not set for the vulnerable OWC version. This means that an attacker can easily reintroduce the old OWC, properly signed
by Microsoft, and gain complete access to the vulnerabilities we found. And unlike Microsoft claims, it's not that easy to notice it
install itself, an attacker can open an off-screen window that will silently install OWC without the user knowing.

This is a fundamental problem in the patch and it renders it quite useless for users who set their IE to trust content from
Microsoft or users that tend to click "Yes" when they see controls signed by Microsoft.

The class id of the <object> element above is for the spreadsheet component of OWC9 (Microsoft Office 2000), OWC10's class id
is "0002E551-0000-0000-C000-000000000046", no further changes in code are needed.

An attacker can actually use the fallback feature of the <object> element to include either one of these components: